As global outages hit banking firms and payments worldwide, are we to be forever doomed by glitches, power outages and cyberattacks? Possible solutions may exist, but what are they?
Itâs been a bad week for global payment and IT systems, as the Clearing House Automated Payment System (CHAPS) experienced a major outage causing serious issues in the UK, swiftly followed by a Microsoft outage that caused havoc for banking firms across the globe.
On Thursday 18 July, the CHAPS system, used by UK high-street banks and lenders to send money to one another, experienced an outage, caused by a glitch related to the global network Swift. On average, CHAPS enables around 200,000 payments per day. According to the Bank of England, the average daily value of CHAPS payments in February 2021 was ÂŁ345billion.
While the Bank of England confirmed that Swift had ârestored service following earlier issuesâ and that âCHAPS payments are settling as normalâ, later that day, the disruption could still prove very costly.
By Friday 19 July, a completely separate issue saw a huge IT outage causing chaos for travel companies, alongside the healthcare and banking sectors. Problems caused by another âglitchâ in a content update for devices running Microsoft Windows, originating from a cybersecurity service provider Crowdstrike.
With so many firms grinding to a halt, across a wide range of sectors, the general level of preparedness appears to have significant shortcomings. Because of this, many will wonder how they can better equip themselves with tools to ensure they can mitigate the impact of problems, even if something on this scale happens again.
Better balancing risk
âThings will always go wrong: itâs a question of when, not if,â says Dafydd Vaughan, CTO at Public Digital and co-founder of the UK Government Digital Service.
Dafydd Vaughan, CTO at Public Digital
âCompanies and national governments need to be prepared and take mitigating actions to minimise their exposure. This crisis could have been avoided by companies rolling out computer updates on a few machines first to check they work, rather than sending them to all machines at the same time.
âThe government needs to consider the risk that comes with so few companies controlling so much of our essential infrastructure. In all industries, the government should see the value of more competition in their supply chains, and work to increase the number of companies that provide these essential services and avoid monopolies controlling our national infrastructure.
âWe get a lot of benefits from systems being connected and sharing information, but that does introduce risk too. We need to balance the gains against the risk and be aware that issues like this can â and increasingly will â happen.â
Could DORA be a turning point?
While these system outages and disruptions have crippled firms worldwide, even if it is just in the short term, itâs hardly a surprise. The need for operational resilience is something the European Union is aiming to address with its Digital Operational Resilience Act (DORA).
The act aims to set new standards for financial sector enterprise service resilience; requiring firms to ensure compliance by 17 January 2025.
Alex Reddish, managing director of Tribe Payments
Alex Reddish, managing director of Tribe Payments, discusses the impact this regulation could have in the future, and whether further action will be needed:Â âWe are now in a period where we have seen large institutional payment rails fail more frequently than we have ever seen before. I cannot imagine a time when technology oversight was more important.
âAlthough CrowdStrike is not a payment processor, the indirect consequences of its outage impact brand value and reputation for various businesses using its service. What weâre seeing today shows an incredible need for us to look at infrastructure beyond payments.
âI think the DORA regulation is a foundation for solving this problem, though it wonât solve it entirely. DORA covers some aspects, but it will never be enough as we continually push the boundaries of efficiency and economic value. Digital and operational resilience should be a top priority for everyone, regardless of whether theyâre critical infrastructure or not.â
Regulation, regulation, regulation
Regulations may well be key in ensuring these types of issues arenât quite as impactful in the future.
Alina Timofeeva, board member at BCS
For Alina Timofeeva, board member at BCS, the chartered institute for IT, it is key that regulators and firms take action equally seriously:Â âRegulators like the Financial Conduct Authority and European Banking Authority do have regulations in place that call out concentration risk in the market and the fact is that companies should be doing much more to mitigate it.
âI believe, going forward, there will be a much bigger push from regulators to mitigate concentration risk, for companies and providers. I anticipate both tighter regulations, but also tighter scrutiny from the regulator should companies prioritise the cost and efficiency over the safety and security of their operations.â
âIt is key for companies to invest in operational resilience. This would cover technology, data, third parties, processes and people. It is also key to test out the disaster recovery plans, instead of having these as a paper exercise and ensure that all the people, processes and data (and not only the technology) are tried and tested at scale, and there is sufficient preparation in place should such an outage happen in future. It is key to do simulation scenarios and testing of these.â
Time to modernise
While regulations and operational resilience will be crucial in mitigating the risk of future outages, there are also questions about whether existing payment infrastructure in the UK is outdated.
Carol Grunberg, chief business officer at Yuno
Carol Grunberg, chief business officer at Yuno, a global payment orchestration platform, believes an overhaul is required: âExisting payment infrastructure is showing its age, exemplified by the CHAPS system outage in the UK. These disruptions indicate that many payment systems, designed decades ago, struggle with todayâs transaction complexity and volume.
âSolutions to modernise payment systems include upgrading existing systems â regular updates with more resilient software and cloud technologies can enhance performance and reliability. Partnering with modern fintechs specialising in payments infrastructure should also help to effectively manage todayâs global payment volumes and complexities. These companies utilise advanced technology stacks and methodologies to ensure seamless and scalable operations.
âA complete overhaul may be necessary for long-term sustainability. This involves re-engineering the architecture towards modular, microservices-based frameworks, enhancing interoperability, and investing in robust cybersecurity. Blockchain technology can offer decentralised alternatives. Robust, stress-tested systems can serve as blueprints for these upgrades and overhauls, ensuring smoother transitions and greater reliability.â
Do we need to quicken implementation?
However, it might not be time to despair completely. As Michael Levens, head of data, technology, automation and testing at Delta Capita, explains, moves to update our systems have been taking place for years.
Michael Levens, head of data, technology, automation and testing at Delta Capita
âWhile it might not be obvious, modernisation efforts have been underway for many years to ensure payment systems are able to cope with the future demands. The Bank of Englandâs RTGS Renewal Programme started in 2017, aiming to improve the resiliency and flexibility of the RTGS system. This has included using new technology and messaging standards (ISO 20022) to improve performance, data quality and operational efficiency.
âWhile focused more on retail payments, the concept of the UKâs New Payment Architecture (NPA) started in 2015 with its main aim to modernise the existing payment infrastructure and provide a more resilient, efficient, and innovative payment system.
âUnfortunately, the development of NPA has been delayed many times and we are still awaiting the delivery of NPA to really propel the UKâs payments systems into the new digital age. So, in summary, it has been acknowledged for some time our existing payment infrastructure is outdated and action is required. Unfortunately, implementations of these initiatives have been slower than hoped.â
Failing to prepare is preparing to fail
Kate Needham-Bennett, senior director of resilience innovation at Fusion Risk Management
âThere is a tendency to see the perfect storms like this as implausible, but after the past five years, I think we need to treat almost everything you can think of as plausible,â says Kate Needham-Bennett, senior director of resilience innovation at Fusion Risk Management.
âFinancial services firms defend against cyberattacks every second â eventually one will get through; energy supplies can be disrupted by weather, geopolitics, manufacturing errors, etc, so there will be power outages; and there have been system glitches since the industrial revolution.
âAll they can do is prepare for when they do happen; get a single pane of glass view of their data, establish what is important (to customers, the firm and the market), map out dependencies, exercise against impact tolerances or recovery time objectives, and then remediate where possible.â
âThe financial industry needs to adopt a multifaceted approachâ
Many firms may also look to see how they can enhance or implement new technical solutions to ensure they donât also fall victim to power outages or cyberattacks.
Matt Williamson, SVP and industry principal at Endava
Matt Williamson, SVP and industry principal at Endava, suggests some ways in which firms can safeguard themselves against these threats: âTo safeguard against cyberattacks, power outages, and system glitches similar to those we have seen this week, the financial industry needs to adopt a multifaceted approach.
âThe first step in improving cybersecurity is implementing sophisticated threat detection and response systems, such as AI-driven solutions, which can assist in quickly identifying and eliminating such threats. Regular security audits, penetration testing, and multi-factor authentication are all methods to further bolster defences.
âSecondly, preparedness for power outages is critical. Implementing uninterruptible power supply (UPS) systems and backup generators will ensure critical operations continue uninterrupted. Integrating cloud-based solutions for data storage and operations adds another layer of resilience, allowing for quick recovery and data redundancy. Patching and system updates on a regular basis remain crucial for vulnerability protection.
âIn addition, the financial sector needs to continually promote cooperation and adherence to regulatory standards like GDPR and PCI DSS.
âUltimately being prepared for anything should be ensured by creating a thorough crisis management strategy, practising frequently, and keeping open lines of communication with all relevant parties.â
The post What Can We Learn From Payment System Failures and Global IT Outage? appeared first on The Fintech Times.
